CVE-2026-24696 identifies a security weakness in the Everon api.everon.io WebSocket API related to CWE-307, which concerns the lack of proper restrictions on the number of authentication requests. The WebSocket API does not enforce rate limiting, allowing attackers to flood the authentication mechanism with excessive requests. This can lead to denial-of-service (DoS) conditions by overwhelming the system, causing legitimate charger telemetry data to be suppressed or misrouted, thereby disrupting the normal operation of electric vehicle charging infrastructure. Additionally, the absence of rate limiting facilitates brute-force attacks, where attackers systematically attempt numerous authentication attempts to gain unauthorized access. The vulnerability affects all versions of the Everon API and requires no privileges or user interaction to exploit, making it accessible remotely over the network. The CVSS v3.1 score of 7.5 reflects a high severity due to the network attack vector, low attack complexity, no privileges required, and no user interaction needed, with a significant impact on availability but no direct impact on confidentiality or integrity. While no exploits are currently known in the wild, the vulnerability poses a substantial risk to organizations relying on Everon's API for telemetry and control of EV charging stations. The lack of patch information suggests that mitigations must be implemented at the network or application layer until an official fix is released.

The primary impact of this vulnerability is on the availability of services relying on the Everon api.everon.io WebSocket API. Attackers can launch denial-of-service attacks by flooding authentication requests, which can suppress or misroute legitimate telemetry data from EV chargers. This disruption can lead to inaccurate monitoring, delayed responses to charger status, and potential operational outages in EV charging networks. Additionally, the vulnerability enables brute-force attacks that could allow unauthorized access if successful, potentially leading to further compromise or manipulation of charging infrastructure. Organizations worldwide that depend on Everon's API for telemetry and control could face service interruptions, reputational damage, and operational inefficiencies. The lack of confidentiality and integrity impact reduces the risk of data breaches but does not eliminate the threat to service continuity. Given the increasing reliance on EV infrastructure, such disruptions could have cascading effects on transportation and energy sectors.

To mitigate this vulnerability, organizations should implement strict rate limiting on authentication requests at the WebSocket API level to prevent abuse. Deploying Web Application Firewalls (WAFs) or API gateways capable of detecting and throttling excessive authentication attempts can reduce the risk of DoS and brute-force attacks. Monitoring and alerting on abnormal authentication request patterns is critical for early detection of exploitation attempts. Network segmentation and access controls should be enforced to limit exposure of the API to trusted clients only. Employing multi-factor authentication (MFA) where possible can further reduce the risk of unauthorized access. Until an official patch is released by Everon, these compensating controls are essential. Organizations should also engage with Everon for timely updates and apply patches promptly once available. Regular security assessments and penetration testing focused on authentication mechanisms can help identify residual risks.